3

Let's sat for example that I have a laptop with just one hard drive running Windows 10. The Laptop's C:\ (boot) drive is encrypted using Bitlocker, and it set up to ask for a PIN on start to decrypt the drive and load the OS.

Is there such a thing (or would it be theoretically possible) as a purely software keylogger that could record the bitlocker PIN after a cold boot?

We are looking at security cases for USB drive vs PIN bitlocker unlocking.

Anders
  • 64,406
  • 24
  • 178
  • 215
Digital Lightcraft
  • 153
  • 5

1 Answers1

5

Yes they exist (like this Russian one uefilog on github Also Hardware key loggers would capture this information. And in theory one could implement an hardware keylogger in the BIOS itself.

How likely they are is a different matter. in most cases its easier to capture this information through other means. (side-channel, social engineering, Hardware key-logger, etc).

But this is one of the use-cases for Smart-card readers with separated numbered keyboard .

LvB
  • 8,217
  • 1
  • 26
  • 43
  • Thank you - It would be great (if you know) if you could expand a bit on how such a software logger manages to run itself pre-boot on an encrypted system, does it live in the MBR? – Digital Lightcraft Mar 19 '18 at 13:52
  • the one in the link is running in the UEFI. so it attached itself to th EUFI loader that is NOT encrypted with the rest of the volume. – LvB Mar 19 '18 at 13:57
  • Would Secure Boot mitigate the threat to the unencrypted portion of the boot volume? – I say Reinstate Monica Mar 19 '18 at 23:45
  • Not really, since the UEFI modules can be loaded in some systems regardless of what you boot. (and it could be signed to work even if it does require it) – LvB Mar 20 '18 at 10:40